The status of this implementation is somewhat complete . Iron is
complete, Hawk is complete, but lacks a good client API. Oz is
partially complete .
done: Use the “Data.SecureMem” package for hash equality comparisons. done: password lookup by ID. done: bewit authentication yesod authentication plugin rename default functions to def and re-export def client ext –> (FromJSON a, ToJSON a)
WWW-Authenticate header response expect(Hawk.utils.unauthorized(‘kaboom’).output.headers[‘WWW-Authenticate’]).to.equal(‘Hawk error=”kaboom”’);
expect(Hawk.utils.unauthorized(‘kaboom’, { a: ‘b’ }).output.headers[‘WWW-Authenticate’]).to.equal(‘Hawk a=”b”, error=”kaboom”’);
allow pre-calculated payload hashes payloadHash :: Algorithm or Creds -> ContentType -> ByteString -> PayloadHash
client.message.authenticate() server.authenticateMessage() helper function for client-side nonce validation Server responses have the client-generated nonce included, so are
usually save from response replays. But if the client response
handler is an api endpoint available to attacker, then the client
needs to validate nonces.
A decent client API and ticket endpoints for Oz #! /usr/bin/env nix-shell#! nix-shell -i bash -p rsynccd ` dirname $0 ` Production testing in a real-world application remove utf8 partial functions use more utils from errors package
avoids bring in wai and/or scotty for iron and/or hawk
URIs should be ByteString not Text try to upgrade license to LGPL Need to contact Hammer about derivatives of his work.
done: Iron unit tests, same as js impl More unit tests around invalid passwords/keys/salts done: Sunny day unit tests Implement full suite coming from js impl nix builds of hawk implementations e.g. javascript, python, go
specify ‘license-file’ in cabal cut down ‘description’ in cabal set package “stability” attribute move description into README.md
add README.md as an extra source in cabal
some build-depends lower version bounds maybe?